Log4j Software Vulnerability – Cyber Safety Review Board

Jul 28, 2022 | , , , | News

A humble piece of software code may be exposing your business secrets right now, and this is not just a developer’s problem.

The “engine room” or “source code” of computer software, such as Acrobat PDF Reader or the online and very popular Microsoft game “Minecraft,” contains thousands of lines of code.


Consider these bits of code to be phrases of words or Lego blocks of varying colours and configurations.

The computer language used to write software programmes for organizations as diverse as IBM, Netflix, or Minecraft, uses the same pieces of code, or Lego bricks. Why reinvent the wheel?

However, every company that utilizes that set of Lego blocks in its programming is at risk if the set has a vulnerability.

Around December 2021, it was revealed that certain logging libraries created in the well-known programming language Java contained just such a collection of Lego blocks with the potential to misbehave.

Developers use logging libraries to document all kinds of internal operations in a variety of computer systems. This can be helpful for resolving problems, finding bugs, and understanding how an application behaves under different circumstances.

A widely-used Java logging library is Apache Log4j, an open source software program available to any developer. Savvy Java programmers all over the world opted to use this Lego set instead of designing their own logging system from scratch.

For the previous nine years, this system was used in software systems all across the globe without any significant safety concerns emerging.

In a Perfect Storm-scenario, multitudes of software developers have been using Log4j, none the wiser that it was fairly easy to be “hijacked” to send the information that it logged to a hacker.

IBM, Netflix, and Minecraft used it in their software, as well as every other company listed at Cyber Security Help.

The world came to realise the hidden dangers lurking in the errant Lego set around December 2021, and the cybersecurity world was in turmoil.

This was serious. The Director of the US Cybersecurity and Infrastructure Security Agency (CISA) reported on TV that the Log4j security flaw was the “most serious” vulnerability that she had seen in her decades-long career and that it could take years to address.

CISA provides assistance to other governmental bodies as well as businesses in resolving cybersecurity challenges and to protect and secure critical infrastructure in the United States.

To even begin to defend against this particular threat, information was needed. The first question facing organizations like CISA was where to even start to plug the hole. A central database of developers that had used this particular logging system in their source code even exist at the time.

In order to recover all the missing Lego pieces, leaders from the public and private sectors, the open-source community, and scholars from around the world had to collaborate throughout the course of the weekends and December holidays in 2021.

They got it done!

The gap was plugged. A new version of the software was issued, and the day was saved. On the face of it, that was the end of the matter. Everyone sighed a collective sigh of relief until…

To be continued…

The content does not constitute legal advice, are not intended to be a substitute for legal advice and should not be relied upon as such. Kindly contact us on info@cklaw.co.za or 021 556 9864 to speak to one of our attorneys.

Related News